Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 8 May 2015 19:39:47 +0300
From: Aleksey Cherepanov <lyosha@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: [core john] [Johnny] Windows event loop

Mathieu,

On Fri, May 08, 2015 at 09:57:29AM -0400, Mathieu Laprise wrote:
> Important info from one of my last message :
> 
> > On Windows (tested on 8.1), Johnny can't terminate cleanly the main(and
> > only) process of JtR(equivalent of unix sigterm). So, start attack/pause
> > attack don't work. However, if we use the windows equivalent of SIGKILL, it
> > works.
> > From the Qt documentation,
> > On Windows, QProces::terminate() posts a WM_CLOSE message to all toplevel
> > windows of the process and then to the main thread of the process itself. Console
> > applications on Windows that do not run an event loop, or whose event loop
> > does not handle the WM_CLOSE message, can only be terminated by
> > calling kill(). However, kill() doesn't give you a chance to do some
> > cleanup.
> 
> 
> I continued working on this and read A LOT of websites about this problem
> and tried a lot of solutions. Here is for example one site that talks about
> this issue
> http://stackoverflow.com/questions/813086/can-i-send-a-ctrl-c-sigint-to-an-application-on-windows
> 
> Core-John handles CTRL_C events nicely. However, Qt sends WM_Close message
> with Process::terminate() which isn't working with console application that
> don't have windows.
> 
> I don't seem to find a clean solution that works. So here are those that
> works so far, but I prefer to warn you in case you don't want to accept
> that kind of workarounds in your code.
> 
> Solution 1 and 2 allows cleanup(it's like sigterm on unix)
> 
> Solution 1) This requires modifications to john. On Windows, for
> john_main_process, create a invisible window, and an event loop on a
> separate thread which will forward WM_CLOSE event to a function in john.
> I've done a prototype(not in john) and this solution works.

It may work if Johnny will be bundled with modified john and Johnny
does not support other versions.

> Solution 2) Do like the guy named Shakta on stackoverflow. This doesn't
> require changes on John. On johnny, use AttachConsole(johnProcessId);
> GenerateConsoleCtrlEvent()
> and send a CTRL_BREAK to john. The problem is that we receive it too and
> it'll kill Johnny. So that's why we create a simple software Helper.exe
> with those 3 lines. We'll launch it and it will send the signal for us.
> This works, I've tested it too, the details are in Shakta stackoverflow's
> answer. Cons : we have a new executable that will be called by johnny.

I found that solution too, in the same stackoverflow question. I think
it may be a good solution among others. On Windows, you'll find people
with old john. So using of a patch may be an option then to make
things clearer for newer versions. But for older versions, you need
the solution, I guess.

If you AttachConsole(), can't you just send Ctrl-C?

Though it is not clear to me: does CTRL_BREAK make john to save state
on exit? Or is it just a way to kill the process?

> Solution 3) Send QProcess::kill() but that doesn't give the chance for John
> to cleanup and Solar said it's important.

John writes cracked hashes every N minutes. These N minutes will be
lost. The N is set in john.conf . It may be big or not. They said that
usually N = 10 minutes.

Johnny make modify the config to make john to write more often. Though
it may hurt performance

I am pretty sure that you've tried `taskkill` without /f to kill john
from cmd. It did not work, right?

Thanks!

-- 
Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.